[RFC PATCH 1/4] mbedtls: enable support of ecc
Raymond Mao
raymondmaoca at gmail.com
Mon Feb 2 20:03:02 CET 2026
Hi Philippe,
On Mon, Feb 2, 2026 at 12:05 PM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> Enables the support of ecc in mbedtls.
>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
> ---
> lib/mbedtls/Kconfig | 8 ++++++++
> lib/mbedtls/Makefile | 7 +++++++
> lib/mbedtls/mbedtls_def_config.h | 18 ++++++++++++++++++
> 3 files changed, 33 insertions(+)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 789721ee6cd..90c007df850 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -157,6 +157,7 @@ config MBEDTLS_LIB_CRYPTO
> select SHA256_MBEDTLS if SHA256
> select SHA512_MBEDTLS if SHA512
> select SHA384_MBEDTLS if SHA384
> + select ECDSA_MBEDTLS if ECDSA
> help
> Enable MbedTLS native crypto libraries.
> Mutually incompatible with MBEDTLS_LIB_HASHING_ALT.
> @@ -231,6 +232,13 @@ config HKDF_MBEDTLS
> This option enables support of key derivation using HKDF algorithm
> with MbedTLS crypto library.
>
> +config ECDSA_MBEDTLS
> + bool "Enable ECDSA support with MbedTLS crypto library"
> + depends on MBEDTLS_LIB_CRYPTO && ECDSA
> + help
> + This option enables support of ECDSA with the MbedTLS crypto
> + library.
> +
ECDSA config should be under MBEDTLS_LIB_X509 instead og MBEDTLS_LIB_CRYPTO.
> endif # MBEDTLS_LIB_CRYPTO
>
> config MBEDTLS_LIB_X509
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index c5b445bd85c..54a893609cf 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -35,6 +35,11 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
> $(MBEDTLS_LIB_DIR)/sha512.o
> mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
> $(MBEDTLS_LIB_DIR)/hkdf.o
> +mbedtls_lib_crypto-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> + $(MBEDTLS_LIB_DIR)/ecdsa.o \
> + $(MBEDTLS_LIB_DIR)/ecp.o \
> + $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o
Currently these ecp*.o are imported by MBEDTLS_LIB_TLS, refactoring is
required to avoid duplications when multiple kconfigs are selected.
>
> # MbedTLS X509 library
> obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
> @@ -52,6 +57,8 @@ mbedtls_lib_x509-$(CONFIG_$(PHASE_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
> $(MBEDTLS_LIB_DIR)/pk.o \
> $(MBEDTLS_LIB_DIR)/pk_wrap.o \
> $(MBEDTLS_LIB_DIR)/pkparse.o
> +mbedtls_lib_x509-$(CONFIG_$(PHASE_)ECDSA_MBEDTLS) += \
> + $(MBEDTLS_LIB_DIR)/pk_ecc.o
ditto.
> mbedtls_lib_x509-$(CONFIG_$(PHASE_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> $(MBEDTLS_LIB_DIR)/x509_crl.o \
> $(MBEDTLS_LIB_DIR)/x509_crt.o
> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
> index dda3f4dd6e4..8f366c744a5 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -60,6 +60,24 @@
> #define MBEDTLS_HKDF_C
> #endif
>
> +#if CONFIG_IS_ENABLED(ECDSA)
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_BIGNUM_C
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +#endif
> +
Currently they are enabled by MBEDTLS_LIB_TLS, refactoring is required
to select ECDSA when MBEDTLS_LIB_TLS is on, to avoid duplicated
defining macros here.
Regards,
Raymond
> #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
>
> #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
> --
> 2.43.0
>
More information about the U-Boot
mailing list